Simulating COVID-19 Phishing Emails

Written by

The world is a strange place at the moment. With this, we find that we have much time to focus and reflect upon issues. Things that used to seem trivial, like washing your hands thoroughly several times a day, have become common. Shops that used to ask people to uncover their face now frown at anyone not wearing a mask.

Emotions are high, anxiety is high, and things have definitely changed. It's against this backdrop that we find ourselves asking what actions are sensitive or not.

Usually, whenever there is a global news story or event, we see criminals jump on the bandwagon and get the phishing machine in action. The COVID-19 pandemic is no exception with a high spike in COVID-19 specific phishing templates.

To prevent employees from falling victim to these scams, one of the most effective methods has been to send simulated phishing emails on the particular topic to raise awareness and train employees into being able to recognize the scams and not fall victim.

In these different times, there's a question as to whether it is appropriate or not to send COVID-19 simulated phishing emails.

It's just a prank bro

Pranks are usually fun and harmless. When I was young, Whoopee Cushions were very popular. Similar in design to a balloon, you'd inflate one and place it on someone’s seat. When they sat on it, the cushion would let out a raspberry sound that would embarrass and confuse them until they saw everyone around them laughing.

But a prank is only really a prank when everyone can laugh about it afterwards. We often see YouTube videos where someone is desperately yelling, "It's just a prank bro" like a get-out-of-jail card after taking a practical joke too far.

Perhaps one of the worst examples in recent times was in June 2019 where Kanghua Ren, known to his followers as ReSet, swapped the creme filling in the middle of an Oreo biscuit for toothpaste and offered it to a homeless man on the streets of Barcelona. The homeless man vomited after eating the biscuit.

A Barcelona court found Mr. Ren guilty of violating the moral integrity of the homeless man. He is unlikely to serve any time behind bars, however, as Spanish law normally allows sentences under two years for first-time offenders in nonviolent crimes to be suspended.

We're on the same side

You see, a prank that targets an unsuspecting and unwilling participant can be seen as cruel and offensive. While the same prank amongst friends can be taken to even further extremes without any offense at all, and that's kind of how I feel about simulated phishing emails.

They are a tool to help educate and train employees. Regardless of the template being used, be it COVID-19 or any other, there will always remain the likelihood of someone being offended.

It's a good time to evaluate what is causing people pain in a time like this. Is it really the template, or is it the manner in which the security team has been testing their employees? Do the simulated phishing emails seek to educate and inform, or are they delivered in a manner to catch people out and humiliate them?

At the end of the day, you know your company and culture better than anyone else. Some countries and regions around the world may feel it's insensitive to use a COVID-19 template, others will not. Empathy is key and, after all, we're all on the same side. Our objective is to secure the organization and help educate employees.

So, if you're considering running a phishing simulation, start by warning employees. Provide information about how cyber-criminals are using this stressful time to their advantage. Tell them you are going to help prepare by sending COVID-19 and other simulations, and you're going to ramp up other testing.

Most importantly, keep it in the spirit and tone of collaboration to collectively help secure your organization, because ultimately, whatever your viewpoint is on whether it's appropriate to use a COVID-19 phishing template, the reality is that the criminals will definitely continue to use them.

What’s hot on Infosecurity Magazine?